Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit dbed7b6

Browse files
mimaisonomkreddy
mimaison
authored and
omkreddy
committedFeb 3, 2025·
MINOR: Cleanups in JaasUtils (apache#18522)
Reviewers: Luke Chen <showuon@gmail.com>, Chia-Ping Tsai <chia7712@gmail.com>
1 parent 248e356 commit dbed7b6

File tree

2 files changed

+28
-3
lines changed

2 files changed

+28
-3
lines changed
 

‎clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,8 @@ public final class JaasUtils {
2626
private static final Logger LOG = LoggerFactory.getLogger(JaasUtils.class);
2727
public static final String JAVA_LOGIN_CONFIG_PARAM = "java.security.auth.login.config";
2828
public static final String DISALLOWED_LOGIN_MODULES_CONFIG = "org.apache.kafka.disallowed.login.modules";
29-
public static final String DISALLOWED_LOGIN_MODULES_DEFAULT = "com.sun.security.auth.module.JndiLoginModule";
29+
public static final String DISALLOWED_LOGIN_MODULES_DEFAULT =
30+
"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule,com.ibm.security.auth.module.LdapLoginModule,org.eclipse.jetty.jaas.spi.LdapLoginModule";
3031
public static final String SERVICE_NAME = "serviceName";
3132

3233
public static final String ZK_SASL_CLIENT = "zookeeper.sasl.client";

‎clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java

+26-2
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,10 @@ public void testDisallowedLoginModulesSystemProperty() throws Exception {
188188
String jaasConfigProp1 = "com.sun.security.auth.module.JndiLoginModule required;";
189189
assertThrows(IllegalArgumentException.class, () -> configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp1));
190190

191+
//test LdapLoginModule is not allowed by default
192+
String jaasConfigProp2 = "com.sun.security.auth.module.LdapLoginModule required;";
193+
assertThrows(IllegalArgumentException.class, () -> configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
194+
191195
//test ListenerName Override
192196
writeConfiguration(Arrays.asList(
193197
"KafkaServer { test.LoginModuleDefault required; };",
@@ -196,11 +200,19 @@ public void testDisallowedLoginModulesSystemProperty() throws Exception {
196200
assertThrows(IllegalArgumentException.class, () -> JaasContext.loadServerContext(new ListenerName("plaintext"),
197201
"SOME-MECHANISM", Collections.emptyMap()));
198202

203+
//test ListenerName Override
204+
writeConfiguration(Arrays.asList(
205+
"KafkaServer { test.LoginModuleDefault required; };",
206+
"plaintext.KafkaServer { com.sun.security.auth.module.LdapLoginModule requisite; };"
207+
));
208+
assertThrows(IllegalArgumentException.class, () -> JaasContext.loadServerContext(new ListenerName("plaintext"),
209+
"SOME-MECHANISM", Collections.emptyMap()));
210+
199211
//test org.apache.kafka.disallowed.login.modules system property with multiple modules
200212
System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, " com.ibm.security.auth.module.LdapLoginModule , com.ibm.security.auth.module.Krb5LoginModule ");
201213

202-
String jaasConfigProp2 = "com.ibm.security.auth.module.LdapLoginModule required;";
203-
assertThrows(IllegalArgumentException.class, () -> configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
214+
String jaasConfigProp3 = "com.ibm.security.auth.module.LdapLoginModule required;";
215+
assertThrows(IllegalArgumentException.class, () -> configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp3));
204216

205217
//test ListenerName Override
206218
writeConfiguration(Arrays.asList(
@@ -215,6 +227,7 @@ public void testDisallowedLoginModulesSystemProperty() throws Exception {
215227
System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, "");
216228

217229
checkConfiguration("com.sun.security.auth.module.JndiLoginModule", LoginModuleControlFlag.REQUIRED, new HashMap<>());
230+
checkConfiguration("com.sun.security.auth.module.LdapLoginModule", LoginModuleControlFlag.REQUIRED, new HashMap<>());
218231

219232
//test ListenerName Override
220233
writeConfiguration(Arrays.asList(
@@ -226,6 +239,17 @@ public void testDisallowedLoginModulesSystemProperty() throws Exception {
226239
assertEquals(1, context.configurationEntries().size());
227240
checkEntry(context.configurationEntries().get(0), "com.sun.security.auth.module.JndiLoginModule",
228241
LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
242+
243+
//test ListenerName Override
244+
writeConfiguration(Arrays.asList(
245+
"KafkaServer { com.sun.security.auth.module.LdapLoginModule required; };",
246+
"plaintext.KafkaServer { com.sun.security.auth.module.LdapLoginModule requisite; };"
247+
));
248+
context = JaasContext.loadServerContext(new ListenerName("plaintext"),
249+
"SOME-MECHANISM", Collections.emptyMap());
250+
assertEquals(1, context.configurationEntries().size());
251+
checkEntry(context.configurationEntries().get(0), "com.sun.security.auth.module.LdapLoginModule",
252+
LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
229253
}
230254

231255
@Test

0 commit comments

Comments
 (0)
Please sign in to comment.